Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    e26d847da7fb94790bda40653258a57c_JaffaCakes118

  • Size

    1.1MB

  • Sample

    240915-n44b4sseng

  • MD5

    e26d847da7fb94790bda40653258a57c

  • SHA1

    29a0da72aec1ffed29d2a1b1ba7a1ccaca6f48a0

  • SHA256

    2a3a6f71ab223a83c160319b03eed2b2a2f499381fb0d8d4c78b1955c9ac5563

  • SHA512

    7f0b1d6af12df8a5e799cc7b0f2fdab3f400a6cd3e4b95f562e142c248154ee9938b3303c40addc7f82d400ec2cc90b15f15035c12172fcf32aa6b5d48e799b5

  • SSDEEP

    24576:qRpai+zCiBH5zhlR26UWMyxG/w4c1vbLgQPe8:Ot+uIH5DnUWXxG/wlTMn8

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.ru
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    c44MAMBxPAEZKQf

Targets

    • Target

      IMG_Catalogue Document.exe

    • Size

      2.6MB

    • MD5

      d7dd6b7b5ec7a51fdf361c054ab58cad

    • SHA1

      d9352be72a941a83b365517e8a1b9dddbf2c92f4

    • SHA256

      b6ce907a6f4755fdb15dcf94fe846ee1214806b69e8288e2b480aab57d4333b1

    • SHA512

      36c8ce185feb9f87784de3ab36e199f4cf1c6bd34204b526472544ceb29a968c18f43b9cfb4d4fd0c80cd9d062f0b385428d1534fd8a4effd8d4421e38f68b61

    • SSDEEP

      49152:74raX5Cq4KS+o6GTGElvevobOdeUjyJeyiim+4Zf2rk1vLrcAZusEEdFGeleADri:744eV2OQ1a7

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Beds Protector Packer

      Detects Beds Protector packer used to load .NET malware.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks